Looking for PoCs of rootlayer.net in Amsterdam. - AS51447 and in upstream providers

• Previous message (by thread): Can rr.ntt.net have a AAAA record please?
• Next message (by thread): Widespread connectivity problems in the west, possibly Lumen
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello NANOG – longtime lurker, first time poster.

I am requesting some assistance today with stopping a pervasive malware 
campaign being sent via email from multiple open proxies in the 
following IP blocks:
45.137.20.0 - 45.137.23.255
185.222.56.0 - 185.222.59.255

This IP space is assigned to rootlayer.net in Amsterdam. - AS51447
% Abuse contact for 'AS51447' is 'complain at rootlayer.net'

All email has contained some sort of malicious code: ransomware, 
trojans, info sealers, and other various malware (some known and some 
brand new/not detected yet). The email content is spoofing various 
legitimate companies and banks.

Since the beginning of the year when I became involved in a particular 
customer (elderly owner of a small business), we have been sending at 
least 5 complaints a day (one for each email) to complain at rootlayer.net, 
all reporting has been ignored. The most recent spoof & malware email 
was received at 16:33 PM PST 5 Feb 2023.

Frankly, we have grown tired of filing abuse complaints into the black 
hole while an elderly gentleman is being targeted. I am not sure a 
contact at Rootlayer will be helpful at this point, but if someone has a 
contact it would be appreciated.

More importantly, anyone have a contact at their upstream providers that 
may be able to beat down these criminal activities and Rootlayer?
AS49981 - WorldStream B.V.
AS49453 - Global Layer B.V.

Any assistance would be greatly appreciated – thank you.


Stay safe,

• Previous message (by thread): Can rr.ntt.net have a AAAA record please?
• Next message (by thread): Widespread connectivity problems in the west, possibly Lumen
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]